Security News > 2020 > December > PGMiner, Innovative Monero-Mining Botnet, Surprises Researchers
An innovative Linux-based cryptocurrency mining botnet has been uncovered, which exploits a disputed PostgreSQL remote code-execution vulnerability to compromise database servers.
The miner takes a fileless approach, deleting the PostgreSQL table right after code launch, researchers said: PGMiner clears the "Abroxu" table if it exists, creates a new "Abroxu" table with a text column, saves the malicious payload to it, executes the payload on the PostgreSQL server and then clears the created table.
"After resolving the SOCKS5 proxy server IP address, PGMiner rotates through a list of folders to find the first one that allows permission to create a new file and update its attributes," researchers said.
The next step, researchers said, is environment cleanup: It removes cloud security monitoring tools such as Aegis, and Qcloud monitor utilities such as Yunjing; checks for virtual machines; kills all other CPU intensive processes such as system updates; and kills competitor mining processes.
As for how successful or widespread the botnet is, the researchers said they observed this particular PGMiner sample attempting to connect to a mining pool for Monero, but it wasn't active.